{"id":"MAL-2026-6459","summary":"Malicious code in easy-string-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803)\npackage.json declares a postinstall lifecycle script that automatically runs on npm install and executes roughly 25 curl POST requests harvesting cloud-instance identity and credential data from /data/* paths (ami-id, instance-id, iam/, identity-credentials/, public-keys/, security-groups, mac, hostname, local/public ipv4, etc.). Each value is sent over plain HTTP to http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/, a Burp Suite Collaborator out-of-band exfiltration host controlled by the attacker. The package advertises itself as 'a collection of handy string utility functions' but ships no string-utility code coupled to the install hook — only the exfiltration payload. Author, repository, bugs, and homepage fields are all empty strings, consistent with a disposable namespace-squat used to deliver an exfiltration payload (dependency-confusion / typosquat shape). Installing this package on any host — and especially on a cloud build agent — leaks IAM metadata, SSH public keys, and instance identity to an attacker-controlled collaborator endpoint.\n\n## Source: ossf-package-analysis (afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4)\nThe OpenSSF Package Analysis project identified 'easy-string-kit' @ 1.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-25T16:31:23.329666540Z","published":"2026-06-25T08:39:07Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-25T08:39:07Z","sha256":"afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4","source":"ossf-package-analysis","versions":["1.0.1"],"import_time":"2026-06-25T09:12:42.856065352Z"},{"modified_time":"2026-06-25T09:06:09Z","sha256":"c55d7da68cef70d2fe31e80813b424d9dffc89df94655a004ad5b75164bd31ce","source":"ossf-package-analysis","versions":["1.0.4"],"import_time":"2026-06-25T09:12:42.979333164Z"},{"modified_time":"2026-06-25T09:10:57Z","sha256":"f74efd21d4c8aa6f6f7ca656d1e95ce1ed8af540bec178c8dba68d18c100b58e","source":"ossf-package-analysis","versions":["1.0.5"],"import_time":"2026-06-25T09:12:43.095282184Z"},{"modified_time":"2026-06-25T09:45:51Z","sha256":"782d491f535725c6f1d9094004d37fa1b859b51029af438489c43337ca6100c8","source":"ossf-package-analysis","versions":["1.0.8"],"import_time":"2026-06-25T10:28:39.629224177Z"},{"modified_time":"2026-06-25T09:15:47Z","sha256":"b125035c3620d0661cf2f91de0406674fbfa03d2dbd9604bc4be06b2bf91da00","source":"ossf-package-analysis","versions":["1.0.6"],"import_time":"2026-06-25T10:28:39.535440527Z"},{"modified_time":"2026-06-25T16:10:36Z","sha256":"4c8bf2d258e00356212c31be69265d92f7dce0d1d44d722b06fe44af794c3c05","id":"IN-MAL-2026-007521","versions":["1.0.7"],"import_time":"2026-06-25T16:23:40.522701525Z","source":"amazon-inspector"},{"modified_time":"2026-06-25T16:10:29Z","sha256":"8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803","source":"amazon-inspector","versions":["1.0.5"],"import_time":"2026-06-25T16:23:40.111114444Z","id":"IN-MAL-2026-007515"},{"modified_time":"2026-06-25T16:10:28Z","sha256":"996cfedfd2d4f07a054c81e53a6600f942c7191d1741cfbedc0ab5b3eeba80a2","import_time":"2026-06-25T16:23:40.064106976Z","versions":["1.0.8"],"source":"amazon-inspector","id":"IN-MAL-2026-007514"},{"modified_time":"2026-06-25T16:10:33Z","sha256":"ac1d07cf8a31b279f0813624af49d302d733976816c312ddc5b5ae450e33f3fd","import_time":"2026-06-25T16:23:40.335163234Z","versions":["1.0.3"],"id":"IN-MAL-2026-007518","source":"amazon-inspector"},{"modified_time":"2026-06-25T16:10:32Z","sha256":"b239d7d57b3db762c896e61f2ab9c2307258df820bf235c1580e0a4201e57cb5","source":"amazon-inspector","versions":["1.0.4"],"id":"IN-MAL-2026-007517","import_time":"2026-06-25T16:23:40.203919421Z"},{"modified_time":"2026-06-25T16:10:33Z","sha256":"e0c51a3080a31d94680aa3ff7e8804fbc4eb3860b2b60e7e3d0efa2fc8bd1ebc","id":"IN-MAL-2026-007519","versions":["1.0.2"],"import_time":"2026-06-25T16:23:40.398770274Z","source":"amazon-inspector"},{"modified_time":"2026-06-25T16:10:26Z","sha256":"0fbb31b7d499411ca75ce301e70f9fd70e92b962fed95967fadc2d21e434e0dc","id":"IN-MAL-2026-007513","versions":["1.0.6"],"import_time":"2026-06-25T16:23:40.006717888Z","source":"amazon-inspector"},{"modified_time":"2026-06-25T16:10:35Z","sha256":"31e6843fcf9481d9bb7e803995a1710b8d325a7661a8cd8fff5ba6f4be6737a5","import_time":"2026-06-25T16:23:40.4745967Z","versions":["1.0.1"],"id":"IN-MAL-2026-007520","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-string-kit/v/1.0.1"}],"affected":[{"package":{"name":"easy-string-kit","ecosystem":"npm","purl":"pkg:npm/easy-string-kit"},"versions":["1.0.1","1.0.4","1.0.5","1.0.8","1.0.6","1.0.7","1.0.3","1.0.2"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"b301cb14c2205d3316d96a30b99b0643b0125e5b09143c1877c3812c0fbf76b90fe26d","sha256":"9d72c49c5130c93317fac6d857404086682bcc513b5b5457e0ba917f6d55973c","path":"package.json"}],"package_integrity":[{"filename":"easy-string-kit-1.0.7.tgz","hashes":{"sha512_sri":"sha512-cNRekItuFgRPtDdwb3nJPO7A/vnJtq6yl/dTprmQNHGvQDGhACo0KPuYpVDYqdKuEPlwU4FJ6+cSjZd0XLluOQ==","sha1":"590bd3e82b79a98f84c355e7bbebde0b97d722a2"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-string-kit/MAL-2026-6459.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}